Date: 15 December 2008
References: ESB-2009.0159
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.1118 -- [Win][UNIX/Linux][Debian]
New uw-imap packages fix multiple vulnerabilities
15 December 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: uw-imap
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2008-5006 CVE-2008-5005
Original Bulletin: http://www.debian.org/security/2008/dsa-1685
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debians recommended that administrators
running UW-IMAP check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1685-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
December 12, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : uw-imap
Vulnerability : buffer overflows, null pointer dereference
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-5005 CVE-2008-5006
Two vulnerabilities have been found in uw-imap, an IMAP
implementation. The Common Vulnerabilities and Exposures project
identifies the following problems:
It was discovered that several buffer overflows can be triggered via a
long folder extension argument to the tmail or dmail program. This
could lead to arbitrary code execution (CVE-2008-5005).
It was discovered that a NULL pointer dereference could be triggered by
a malicious response to the QUIT command leading to a denial of service
(CVE-2008-5006).
For the stable distribution (etch), these problems have been fixed in
version 2002edebian1-13.1+etch1.
For the unstable distribution (sid) and the testing distribution
(lenny), these problems have been fixed in version 2007d~dfsg-1.
We recommend that you upgrade your uw-imap packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1.orig.tar.gz
Size/MD5 checksum: 1517069 8ff277e7831326988d0ee0bfeca7c8ff
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1-13.1+etch1.dsc
Size/MD5 checksum: 874 ac3703de07e1cf10e7aa72a10a5fb20b
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1-13.1+etch1.diff.gz
Size/MD5 checksum: 99906 6c0172a213d199583e0d6c1dc5957a20
Architecture independent packages:
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd-ssl_2002edebian1-13.1+etch1_all.deb
Size/MD5 checksum: 20760 b418a43ee29d858752497a83897588c9
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd-ssl_2002edebian1-13.1+etch1_all.deb
Size/MD5 checksum: 20756 4381ee8fe7865bc2fbf4f83f44ddd0e3
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_alpha.deb
Size/MD5 checksum: 50618 972cf2d773feb8547ba6cc0bd933dbea
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_alpha.deb
Size/MD5 checksum: 650718 1d084bff43e5efde07706f8b54134625
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_alpha.deb
Size/MD5 checksum: 47364 d1550ecb166961b3dd7c948fd7333e18
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_alpha.deb
Size/MD5 checksum: 26688 9a2ed6fd202bd4b7dfbd555170664979
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_alpha.deb
Size/MD5 checksum: 80168 d26aa9867204cbc27107bc0eb046649a
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_alpha.deb
Size/MD5 checksum: 1196482 41dba8f6a0cc1b7c602060ddf3dae58c
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_amd64.deb
Size/MD5 checksum: 1040748 89a2bb86ee48bbc3ce0ce6ac06736e5d
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_amd64.deb
Size/MD5 checksum: 76348 e2506d3191e383e511b73851f7b2403d
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_amd64.deb
Size/MD5 checksum: 50416 9db96b845240094cb130050463e5b8da
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_amd64.deb
Size/MD5 checksum: 606040 458cf8d820a650978eed89b234c2d018
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_amd64.deb
Size/MD5 checksum: 46470 a6f2e3922fdd861d7209635ffc03b35b
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_amd64.deb
Size/MD5 checksum: 26394 847986887b14d0a038057478d2b30872
arm architecture (ARM)
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_arm.deb
Size/MD5 checksum: 46642 b0e4a64cf30e20dc069e3a57259235ce
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_arm.deb
Size/MD5 checksum: 75798 b41386db73222899258e743a33c4f639
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_arm.deb
Size/MD5 checksum: 959814 d4589284f56b8e5746495c7ffb107a91
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_arm.deb
Size/MD5 checksum: 589126 91754725dff8d6cea245b24af8b963bb
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_arm.deb
Size/MD5 checksum: 26082 fbe01ef72a463c603ee2802d5a83c863
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_arm.deb
Size/MD5 checksum: 46566 f8e9a765ce2398f1361b2a3d23fc68ae
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_hppa.deb
Size/MD5 checksum: 49834 38e164bb266c4ac2b64efb1823520ad2
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_hppa.deb
Size/MD5 checksum: 26948 859538b21ee583afd0eae0fe23f5ccec
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_hppa.deb
Size/MD5 checksum: 48276 fc635c859779ac21c7f3b5e1330ac96e
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_hppa.deb
Size/MD5 checksum: 78030 13a4830e58146dada9a4312ea1c0878e
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_hppa.deb
Size/MD5 checksum: 1122112 6816e9ad9b34393fdc0a2a13d5e6c03a
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_hppa.deb
Size/MD5 checksum: 638360 a22f4b8a0309cb3f7f24281c4b180c40
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_i386.deb
Size/MD5 checksum: 26270 918de156aad623e201675f53e5a7390b
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_i386.deb
Size/MD5 checksum: 47736 635d0586f0067de7051a7b96da96489b
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_i386.deb
Size/MD5 checksum: 73758 92a54d90386b2d791e7833491b1a16e1
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_i386.deb
Size/MD5 checksum: 976232 eda1d42fcf0a044eaf7b761090d203ef
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_i386.deb
Size/MD5 checksum: 598438 10c608db26e0313c24fa806ac841e47e
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_i386.deb
Size/MD5 checksum: 45742 53defc689a358a10ecc885846c42f2bd
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_ia64.deb
Size/MD5 checksum: 54828 10f59379b3b9710afca1ac83ca409ce8
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_ia64.deb
Size/MD5 checksum: 89592 8981c9ce87c1a854e986c84ac0284b90
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_ia64.deb
Size/MD5 checksum: 1205586 6fe1eb318b9c51cc4ce7dce1c0c2d01e
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_ia64.deb
Size/MD5 checksum: 27648 bb12979a5cf7ff84e0f233167e994b8c
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_ia64.deb
Size/MD5 checksum: 62708 d601a2d1ef511702fd31c9953abc2dd0
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_ia64.deb
Size/MD5 checksum: 744690 33ddf81a4b04fe817c95c1f4e828d3d4
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_mips.deb
Size/MD5 checksum: 1103000 12bfd3f9698096d667d5623c246b17f6
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_mips.deb
Size/MD5 checksum: 74734 a88fe50a66f89f4620cc88f0902d384e
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_mips.deb
Size/MD5 checksum: 47006 3b171e1e0d591d05191e187154600ae0
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_mips.deb
Size/MD5 checksum: 45228 f28bf5c2fb4ca704d151e07ddeb0b14c
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_mips.deb
Size/MD5 checksum: 606472 919acee3427f101ad7d929611c7b1fa7
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_mips.deb
Size/MD5 checksum: 26006 c8b6b70bcaf09ca353cfcec8030c51ab
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_mipsel.deb
Size/MD5 checksum: 26482 8a3e4fa1b89f5948ea5647fb56f01faf
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_mipsel.deb
Size/MD5 checksum: 74914 b6aa38a2f191d317d2d4509670fa9337
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_mipsel.deb
Size/MD5 checksum: 1078056 103f0633e98faa29517a63c827109bc5
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_mipsel.deb
Size/MD5 checksum: 47642 5cc42be0a5dc83fd8ca5b66cf422a974
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_mipsel.deb
Size/MD5 checksum: 605734 f0de3efdd6f797910ac856c624ec109e
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_mipsel.deb
Size/MD5 checksum: 46028 1ba982a87d77197645a543dc8b27b6a7
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_powerpc.deb
Size/MD5 checksum: 50206 f4fde759040b7520e72adeea14dd7587
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_powerpc.deb
Size/MD5 checksum: 74158 b945eea07eec4357825cfc16fed7bf4e
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_powerpc.deb
Size/MD5 checksum: 605242 5914dedf470cfd20024c20224290e3b0
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_powerpc.deb
Size/MD5 checksum: 26410 2c7881339151f91143572bdf7af420dd
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_powerpc.deb
Size/MD5 checksum: 47642 ad645882db05a4d3fa1080c181eece39
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_powerpc.deb
Size/MD5 checksum: 1109820 d5e5f0f48b8edee35e29354119b7d2a3
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_s390.deb
Size/MD5 checksum: 623664 c635c4b77cef027eb42faef8e6727c59
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_s390.deb
Size/MD5 checksum: 78150 b5a7a33230a9162e2308446b45466284
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_s390.deb
Size/MD5 checksum: 26540 d45c1a7782161483c37a7e00c8fdc700
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_s390.deb
Size/MD5 checksum: 48374 1fd3a101cd59eb59abec32014c397c18
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_s390.deb
Size/MD5 checksum: 49490 7ea6ec2d1d99af8ac12a9fee77e3027d
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_s390.deb
Size/MD5 checksum: 1109484 0fac4ece552d53c1e5c36d39539c7947
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_sparc.deb
Size/MD5 checksum: 47416 51529ae793ae7f166c47fb2e23a0413e
http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_sparc.deb
Size/MD5 checksum: 46480 81c03a62740ad668f8c008b1a71be6ab
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_sparc.deb
Size/MD5 checksum: 967750 8edd729d4e4a9380764efc693b1d50ad
http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_sparc.deb
Size/MD5 checksum: 26334 1dc5709d6db104eaf92e327b90b55130
http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_sparc.deb
Size/MD5 checksum: 596486 3c3eb2be8fb28c59de0d2bb090e0e5b9
http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_sparc.deb
Size/MD5 checksum: 74884 39b9e029302ff6eebe08a731882181da
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJQgX7AAoJEL97/wQC1SS+oUQH/3thtH7e8l4AfK6fsgidhRv1
I7g4omGUHQ86nbyizAOyZpumYBDg5DTOGs3diqDE5dSFYDv9/8vKttSNi/q23flV
gmQvHHMbLLchzXWR0O6rNUvUBbegh/H+t23mYX3c5SZxaGGpyYHBfyhUeiUi1nMR
6CoeQexTX1gTl4YeKR2VFwrbvBuWVJYXpKoi3jBL26gn/fUm3sAzDQTPjQURiQGY
pd7RwvfO8Sx7Ur3XnLm/YYfY0yD9DwoHrnnFK7QQL4JMedip8jt4eiwJunKYzA3S
jjS5q4U//7UhLolcWKl1rnIIjQk3b92DhN3phztbSRsfcySAnbyZ+4i6R4+kuMw=
=1LWm
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSUWi9yh9+71yA2DNAQJkEAP/Z1pOKs8XLJQluwr4pfqA7BhN7hQoGiu1
uqmLDpJwPBthPf0JzO15Y/Mx5RUZZIEvLc0C0a1qZHQo8M4UkZF8hK6+mjISfWlx
MvnuJHT/jFnemMtJx4VpiyFMOlu0IIXW60vOsjvBMFN73BjEmBzT2n6pjdcGxEX1
5cvu1Ex5cFo=
=3C1R
-----END PGP SIGNATURE-----
|